PatchSiren cyber security CVE debrief
CVE-2026-8078 Checkmk GmbH CVE debrief
CVE-2026-8078 is a MEDIUM severity vulnerability in Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions. An administrator can store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the Activate Changes page or Audit log.
- Vendor
- Checkmk GmbH
- Product
- Checkmk
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Users of Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions.
Technical summary
Stored cross-site scripting in the global settings change log in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the Activate Changes page or Audit log.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Checkmk version 2.5.0p5 or later, 2.4.0p31 or later, or 2.3.0p48 or later.
- Apply the vendor advisory: Checkmk Werk 17992 (resourceLinkAnnotations: ref-4)
Evidence notes
CVE-2026-8078 was published on 2026-06-08T13:16:33.760Z and modified on 2026-06-08T15:53:41.557Z. The CVSS score is 4.8 (MEDIUM).
Official resources
-
CVE-2026-8078 CVE record
CVE.org
-
CVE-2026-8078 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
public